I want to start using this, but I'm concerned what happens when a service changes their domain.
When the domain changes, even subtly like from api.foo.com to www.foo.com, it will break my ability to access the site. If I do not remember the previous URL, I will not be able to recover it.
I was quite surprised to see your extension, it is very similar to my Easy Passwords extension in both concept and design. I've had a brief look at the source code and I guess that it was a completely unrelated development after all?
Please increase the number of iterations, PBKDF2 with 8192 iterations is a very bad idea in year 2016. I would consider 100k iteration the lower limit, my Easy Passwords extension uses 256k. For reference, I described the threat scenario here:
Note that LastPass isn't a good example when it comes to security-relevant decisions. If you are interested, I published a lengthy writeup under https://security.stackexchange.com/a/137307/4778.
I don't think that this is sufficient as long as 8192 is still the default. Personally, I don't think that exposing the number of iteration is a good idea at all - users have no way of knowing how much is enough. Frankly, it took me quite a while to find out what contemporary hardware (especially GPUs) is capable of and how many iterations should be considered safe today.
LessPass starts with 8192 iterations. I prepare the code to increase this number, I will not let users change it. We are creating an interface to change master password and then we will plan a LessPass version change (with a number of iterations changes)
* encrypt password profiles client side.
* help user change their master passwords (https://github.com/lesspass/lesspass/issues/36)
* mobile version(https://github.com/lesspass/lesspass/issues/6)
Change his master password seems to be the biggest problem for many of you. We will address this problem as a priority.